Presentation is loading. Please wait.

Presentation is loading. Please wait.

R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats.

Published byNigel Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats."— Presentation transcript:

1 R. Newman Anonymity - Background

2 Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats to anonymity and privacy Threats to anonymity and privacy Mechanisms to provide anonymity Mechanisms to provide anonymity Applications of anonymity technology Applications of anonymity technologyTopics

3 Early (pre-computer) uses for social reasons (ability to act more freely, have work accepted without prejudice, etc.) Early (pre-computer) uses for social reasons (ability to act more freely, have work accepted without prejudice, etc.) Traffic analysis an issue prior to computers (e.g., Bodyguard of Lies) Traffic analysis an issue prior to computers (e.g., Bodyguard of Lies) Computer TAP solvable with cryptography Computer TAP solvable with cryptography With public-key cryptography, theoretical possibility for anonymity and pseudonymity With public-key cryptography, theoretical possibility for anonymity and pseudonymity Anonymity - Beginnings

4 Traffic Analysis Prevention Traffic Analysis Prevention Sender, Recipient, Message Anonymity Sender, Recipient, Message Anonymity Voter Anonymity Voter Anonymity Pseudonymity Pseudonymity Revokable anonymity Revokable anonymity Data anonymity Data anonymity Forms of Anonymity

5 Cryptography Cryptography Steganography Steganography Traffic Analysis Prevention (TAP) Traffic Analysis Prevention (TAP) Mixes, crowds Mixes, crowds Data sanitization/scrubbing Data sanitization/scrubbing k-anonymity k-anonymity Anonymity Mechanisms

6 Global vs. Restricted Global vs. Restricted All links vs. some links All links vs. some links All network nodes vs. some or no nodes All network nodes vs. some or no nodes Passive vs. Active Passive vs. Active Passive – listen only Passive – listen only Active – remove, modify, replay, or inject new messages Active – remove, modify, replay, or inject new messages Cryptography Assumptions Cryptography Assumptions All unencrypted contents are observable All unencrypted contents are observable All encrypted contents are not, without key All encrypted contents are not, without keyAdversaries

7 One key, K ab, associated with entities A and B One key, K ab, associated with entities A and B Same key used for encryption and decryption: C=E(M,K ab ), M=D(C,K ab )=D(E(M,K ab )K ab ) Same key used for encryption and decryption: C=E(M,K ab ), M=D(C,K ab )=D(E(M,K ab )K ab ) For message M, ciphertext C = {M}K For message M, ciphertext C = {M}K Anyone with K ab can form ciphertext Anyone with K ab can form ciphertext Anyone with K ab can decrypt C Anyone with K ab can decrypt C For message M, MIC or MAC uses hash fcn For message M, MIC or MAC uses hash fcn If only A and B have K ab, then MAC If only A and B have K ab, then MAC If group key, then MIC If group key, then MIC Depending on E, may require crypto hash fcn Depending on E, may require crypto hash fcn Symmetric Key Cryptography

8 Two keys, K and K -1, associated with entity A Two keys, K and K -1, associated with entity A K is public key, K -1 is private key K is public key, K -1 is private key Keys are inverses: {{M}K}K -1 = {{M}K -1 }K = M Keys are inverses: {{M}K}K -1 = {{M}K -1 }K = M For message M, ciphertext C = {M}K For message M, ciphertext C = {M}K Anyone can send A ciphertext using K Anyone can send A ciphertext using K Only A has K -1 so only A can decrypt C Only A has K -1 so only A can decrypt C For message M, signature S = {M}K -1 For message M, signature S = {M}K -1 Anyone can verify M,S using K Anyone can verify M,S using K Only A can sign with K -1 Only A can sign with K -1 Public Key Cryptography

9 Limit on size of M, based on size of K in PKC Limit on size of M, based on size of K in PKC Need to format M to avoid attacks on PKC Need to format M to avoid attacks on PKC Use confounder to foil guessed ptxt attacks Use confounder to foil guessed ptxt attacks Typical use of one-way hash H to distill large M to reasonable size for signing Typical use of one-way hash H to distill large M to reasonable size for signing Typical use of PKC to distribute symmetric key for actual encryption/decryption of larger messages Typical use of PKC to distribute symmetric key for actual encryption/decryption of larger messages See http://www.rsa.com/rsalabs/ for standards See http://www.rsa.com/rsalabs/ for standardshttp://www.rsa.com/rsalabs/ Details we omit

10 Wish to receive email anonymously, but Wish to receive email anonymously, but Be able to link new messages with past ones Be able to link new messages with past ones Respond to the sender Respond to the sender Do not trust single authority (e.g., Paypal) Do not trust single authority (e.g., Paypal) Underlying message delivery system is untrusted Underlying message delivery system is untrusted Global active adversary Global active adversary Chaum – Untraceable Mail

11 Mix is like a special type of router/gateway Mix is like a special type of router/gateway It has its own public key pair, K 1 and K 1 -1 It has its own public key pair, K 1 and K 1 -1 Recipient A also has public key pair, K a and K a -1 Recipient A also has public key pair, K a and K a -1 Sender B prepends random confounder R a to message M, encrypts for A: C a = {R a |M}K a Sender B prepends random confounder R a to message M, encrypts for A: C a = {R a |M}K a B then prepends confounder for mix to C and encrypts for mix: C 1 = {R 1 |A|C a }K 1 B then prepends confounder for mix to C and encrypts for mix: C 1 = {R 1 |A|C a }K 1 B sends C 1 to mix, which later send C a to A B sends C 1 to mix, which later send C a to A Chaum Mix 1

12 Mix simply decrypts and strips confounder from message to A Mix simply decrypts and strips confounder from message to A Incoming message and outgoing message do not appear related Incoming message and outgoing message do not appear related Use padding to ensure same length (some technical details here) Use padding to ensure same length (some technical details here) Gather a batch of messages from different sources before sending them out in permuted order Gather a batch of messages from different sources before sending them out in permuted order Chaum Mix 2

13 As long as messages are not repeated, adversary can't link an incoming message with an outgoing one (anonymous within the batch) As long as messages are not repeated, adversary can't link an incoming message with an outgoing one (anonymous within the batch) Mix can discard duplicate messages Mix can discard duplicate messages B can insert different confounder in repeats B can insert different confounder in repeats B can use timestamps – repeats look different B can use timestamps – repeats look different Mix signs message batchs, sends receipt to senders Mix signs message batchs, sends receipt to senders This allows B to prove to A if a message was not forwarded This allows B to prove to A if a message was not forwarded Chaum Mix

14 If one mix is good, lots of mixes are better! If one mix is good, lots of mixes are better! B prepares M for A by selecting sequence of mixes, 1, 2, 3, …, n. B prepares M for A by selecting sequence of mixes, 1, 2, 3, …, n. Message for A is prepared for Mix 1 Message for A is prepared for Mix 1 Message for Mix 1 is prepared for Mix 2 Message for Mix 1 is prepared for Mix 2 … Message for Mix n-1 is prepared for Mix n … Message for Mix n-1 is prepared for Mix n Layered message is sent to Mix n Layered message is sent to Mix n Each mix removes its confounder, obtains address of next mix (or A), and forwards when batch is sent in permuted order Each mix removes its confounder, obtains address of next mix (or A), and forwards when batch is sent in permuted order Cascading Mixes 1

15 Mix in cascade that fails to forward a message can be detected as before (the preceding mix gets the signed receipt) Mix in cascade that fails to forward a message can be detected as before (the preceding mix gets the signed receipt) Any mix in cascade that is not compromised can provide unlinkability Any mix in cascade that is not compromised can provide unlinkability This gets us anonymous message delivery, but does not allow return messages This gets us anonymous message delivery, but does not allow return messages Cascading Mixes 2

16 B generates a public key K b for the message B generates a public key K b for the message B seals its true address and another key K using the mix's key K 1 : RetAddr = ({K,B}K 1, K b ) B seals its true address and another key K using the mix's key K 1 : RetAddr = ({K,B}K 1, K b ) A encrypts reply M and confounder R 0 with message key K b and sends to mix along with return address: Reply = {K,B}K 1, {R 0 |M}K b A encrypts reply M and confounder R 0 with message key K b and sends to mix along with return address: Reply = {K,B}K 1, {R 0 |M}K b Mix decrypts address and key, uses key K to re-encrypt reply: {{R 0 |M}K b }K and sends to B Mix decrypts address and key, uses key K to re-encrypt reply: {{R 0 |M}K b }K and sends to B Return Addresses 1 Return Addresses 1

17 B must generate new return address keys for each message (K and K b ) so there are no duplicates B must generate new return address keys for each message (K and K b ) so there are no duplicates Mix must remove duplicates if found Mix must remove duplicates if found Symmetric cryptography may be used for both K and K b here (but not for mix key!) Symmetric cryptography may be used for both K and K b here (but not for mix key!) – How? Cascade can return messages by building the return address in reverse order, then peeling off layers as the reply is forwarded (and encrypted) along the return path Cascade can return messages by building the return address in reverse order, then peeling off layers as the reply is forwarded (and encrypted) along the return path Return Addresses 2 Return Addresses 2

18 For cascaded mixes, must build return address for the whole path For cascaded mixes, must build return address for the whole path Receiver uses built-up return address and return key to send reply Receiver uses built-up return address and return key to send reply Each mix on return path unwraps its portion of return address, re-encrypts, and forwards to next address Each mix on return path unwraps its portion of return address, re-encrypts, and forwards to next address Sender had all the keys (it built the return address) so it can decrypt reply Sender had all the keys (it built the return address) so it can decrypt reply Return Addresses 3 Return Addresses 3

19 Mix must make input messages unlinkable with output messages Mix must make input messages unlinkable with output messages – Messages must all be same length – Messages must all be encrypted so as to appear random – Can't hide source/destination addresses along a single hop in path, but must hide sender and receiver, as well as distance along path – Mix must randomize order of output Mix may have any number of triggers Mix may have any number of triggers Mix Generics

20 Timed mix Timed mix – Mix gathers messages for period T, then sends Threshold mix Threshold mix – Mix gathers N messages, then sends Hybrid mix Hybrid mix – Mix sends when N messages or period T reached Pool mix Pool mix – Mix keeps pool of messages of size P, when pool reaches size N+P, N randomly chosen messages are sent Continuous mix Continuous mix – Mix attaches random delay D from some distribution to each msg M, sends M when delay is reached Mix Triggers

21 In addition to padding messages to some constant length (and segmenting longer messages), mix may introduce dummy messages into traffic In addition to padding messages to some constant length (and segmenting longer messages), mix may introduce dummy messages into traffic Dummy messages especially useful in timed mixes (may not have many messages to send) Dummy messages especially useful in timed mixes (may not have many messages to send) Strong resistance from network guys Strong resistance from network guys Research question: how much does this form of padding help, and what is the relationship between increase in anonymity and cost of padding? Research question: how much does this form of padding help, and what is the relationship between increase in anonymity and cost of padding? Mix Padding

Download ppt "R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats."

Similar presentations

A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Analysis of Onion Routing Presented in 294-4 by Jayanthkumar Kannan On 10/8/03.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Homework #5 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #5 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S

0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.
Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Similar presentations

Ads by Google